Open In App

Amazon Web Services – Restricting S3 Access Only From CloudFront

Last Updated : 28 Mar, 2023
Improve
Improve
Like Article
Like
Save
Share
Report

In this article, we will look into how to restrict access to Simple Storage Service (S3) from CloudFront only. When developers are using S3 REST API  endpoint as the origin to CloudFront, they can restrict access to S3 from CloudFront only by setting up the Origin Access Identity(OAI). This is a special CloudFront user, which they will associate with the distribution.

Users can then add permissions on the S3 bucket, or the objects in an S3 bucket,  to allow access only to this origin access identity. When the user accesses the S3 object through CloudFront, the origin access identity gets the object on behalf of the users. If the users try to access the S3 URL directly, their access is denied.

This makes sure that the client can access objects in the S3 bucket but only by CloudFront. This is an additional layer of security and customers can control traffic by integrating WAF with CloudFront to secure their websites.

To create a closure on Origin access identity using the CloudFront console follow the below steps:

Step 1: Login to the AWS management console and go to CloudFront console:

Step 2: Select the distribution ID you want to add origin access identity 

.

Step 3: Then change to Edit mode and choose the Origins tab and then select the S3 origin that you want to edit.

Step 4: For Restrict Bucket Access click Yes, if you already have OAI you can choose the existing identity or you can create a new one. Here we will be choosing the existing identity, then to have CloudFront automatically update the origin access identity permission to read the objects in the S3 bucket specified in the origin domain name choose Yes, Update Bucket Policy and then click Yes, Edit.

Step 5: Now we can check if the bucket policy’s updated in the S3 bucket. To do that open S3 console in a new tab, click the S3 bucket, which is the origin of the CloudFront distribution.

Step 6: Select the permissions tab and choose bucket policy. The bucket policy is set to allow access to origin access identity associated with the CloudFront distribution.

Now if we try accessing the S3 object by directly accessing the S3 URL,  we can see there is an access denied error so the user will have access to the S3 object by only CloudFront.


Like Article
Suggest improvement
Next
Amazon Web Services - Correctly Accessing CloudFront from Amazon S3
Share your thoughts in the comments

Similar Reads

Amazon Web Services - Correctly Accessing CloudFront from Amazon S3
Amazon Web Services - Introduction to CloudFront CDN
Machine Learing (ML) Services Offered By Amazon Web Services (AWS)
Identity and Access Management (IAM) in Amazon Web Services (AWS)
Amazon Web Services - Denying Access using IAM policy for EC2 and EBS Instance
Amazon Web Services - Introduction to Amazon Lightsail
Amazon Web Services - Copy an Amazon Redshift Cluster to Different AWS Account
Amazon Web Services - Configuring Amazon S3 Event Notifications
Amazon Web Services - Amazon S3 Notifications to SNS
Amazon Web Services - Introduction to Amazon CloudWatch Synthetics

K
kumaripunam984122
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox